An alert warning was issued by the Federal Bureau of Investigation (FBI) of the United States of America on Thursday regarding North Korean state-sponsored threat actors that are using malicious QR codes in spear-phishing attacks that are targeting entities in the country.
"As of 2025, Kimsuky actors have targeted think tanks, academic institutions, and both U.S. and foreign government entities with embedded malicious Quick Response (QR) codes in spear-phishing campaigns," according to the FBI's announcement in the flash alert. "This type of spear-phishing attack is referred to as quishing."
The use of QR codes for phishing is a strategy that pushes victims to go from a machine that is protected by business policies to a mobile device that may not give the same level of protection. This effectively offers threat actors the opportunity to circumvent traditional defences.
It has been determined that Kimsuky, which is also known as APT43, Black Banshee, Emerald Sleet, Springtail, TA427, and Velvet Chollima, is a threat organisation that is associated with the Reconnaissance General Bureau (RGB) of North Korea. Spear phishing tactics, which are specifically designed to circumvent email authentication mechanisms, have been orchestrated by this organisation for a considerable amount of time.
By abusing inadequately set Domain-based Message Authentication, Reporting, and Conformance (DMARC) record policies, the hacker group was able to send emails that appear to have originated from a valid domain, as stated in an advisory that was distributed by the United States government in May of 2024.
During the months of May and June 2025, the Federal Bureau of Investigation (FBI) reported that it has witnessed the Kimsuky actors exploiting infected QR codes as part of their targeted phishing activities.
Sending emails that pretend to be from a foreign advisor and asking for the opinion of a think tank leader on recent events on the Korean Peninsula by scanning a QR code to gain access to a questionnaire
The use of a sham employee at the embassy to send emails to a senior fellow at a think tank, asking for their opinion on North Korean human rights issues, accompanied with a QR code that promised to enable access to a secure disc
Spoofing an employee of a think tank can be accomplished by the use at emails that contain a QR code that is intended to direct the victim to infrastructure that is under their control for further action.
The act of sending emails to a strategic consultancy business, inviting them to a conference that does not exist, and asking the receivers to scan a QR code in order to be redirected to a registration landing site that is aimed to harvest their Google account credentials by using a fake login page
The disclosure comes less than a month after ENKI disclosed information of a QR code campaign that was carried out by Kimsuky to disseminate a new variant of Android malware known as DocSwap in phishing emails that imitated a logistics company based in Seoul.
"Quishing operations frequently end with session token theft and replay, enabling attackers to bypass multi-factor authentication and hijack cloud identities without triggering typical 'MFA failed' alerts," the Federal Bureau of Investigation reported. "Adversaries then establish persistence in the organisation and propagate secondary spear-phishing from the compromised mailbox."
"Because the compromise path originates on unmanaged mobile devices outside normal Endpoint Detection and Response (EDR) and network inspection boundaries, quishing is now considered a high-confidence, MFA-resilient identity intrusion vector in enterprise environments."
